Analysis
-
max time kernel
148s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-10-2022 17:24
General
-
Target
1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3.exe
-
Size
1.2MB
-
MD5
822dd46ca0b5d2ca0bffece58e2a0bcd
-
SHA1
6ebfddd3db40b70cb81f952ed10455abcd2b0e02
-
SHA256
1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3
-
SHA512
23dc365ba77056027f8d387ff0ddfe38763c46b6c3dd647cd8b4fc8091bdfbd1671468f3afd8a6b1f24df2f1b50afd163b521cdabca25a359218797859ef6d83
-
SSDEEP
24576:3Sev5VtpRf4tFmM1Dcvj3E8FgXqQmX+KK:3SY3fO4suEHLmuKK
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Creates new service(s) 1 TTPs
-
Sets file to hidden 1 TTPs 9 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry 2 TTPs 2 IoCs
-
Stops running service(s) 3 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 3 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3.exe"C:\Users\Admin\AppData\Local\Temp\1c87c2b61567f8e5763bdea57d3628147e5db429cec45dffb7e835bf81d39ac3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Documents and Settings\All Users\Application Data\baiducoma.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy *date.exe D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy *date.scr D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h +r "C:\Documents and Settings\All Users\Application Data\baiducoma.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Documents and Settings\All Users\Application Data"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Common Files\Microsoft Shared\Web Folders"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "ekrn.exe safeboxTray.exe nod32krn.exe kwatch.exe shstat.exe Client.exe ashserv.exe" pid1.txt3⤵
-
-
C:\Windows\SysWOW64\sc.exesc delete knlps3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "CCenter.exe services.exe 360tray.exe KVMonXP.kxp RSTray.exe RfwMain.exe 8date.exe" pid1.txt3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName" /v "ComputerName" /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v "ComputerName" /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v "NV Hostname" /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters" /v Hostname /t reg_sz /d └╢╙ε╚║:41061527 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Micsofoffice1.exe "Microsoft\Micsofoffice1.exe" /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Micsofoffice2.rar "Microsoft\Micsofoffice2.rar" /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\sc.exeSC create Microsoftmanager binPath= "C:\Documents and Settings\All Users\Application Data\Microsoft\Micsofoffice1.exe" Start= auto displayname= "Microsoftnetwork gervice" type= own3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config Microsoftmanager start= auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeSC description Microsoftmanager "╬¬╣▄└φ║═╬¼╗ñ╘┌╝╞╦π╗·─┌NTFS┤┼┼╠╬─╝■╓«╝Σ╡─╧╡═│╩²╛▌┐Γ,╧√╧ó╢╙┴╨,╬─╝■╧╡═│╡╚╫╩╘┤╣▄└φ╞≈╡─╩┬╬±╠ß╣⌐╓º│╓.╜╧╡═░µ▒╛╡─▓┘╫≈╧╡═│╘≥▓╗╗ß╖ó╔·╒Γ╨⌐╩┬╬±.╚τ╣√╜√╙├┤╦╖■╬±,╚╬║╬╥└└╡┤╦╖■╬±╡─╞Σ╦√╖■╬±╜½╬▐╖¿╞⌠╢»."3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Microsoft\Micsofoffice2.rar"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "Microsoft\Micsofoffice1.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s BaiDuhi.reg3⤵
- Modifies security service
- Modifies visiblity of hidden/system files in Explorer
- Sets service image path in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.SCR" /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.scr" D:\Windows╧╡═│╔∙╥⌠╬─╡╡▒╕╖▌╬─╝■╝╨date.SCR /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.scr" E:\╤█╛ª░╤╤╢║┼┤½╕°─π╡─╨─┴Θ╩╟┴φ╥╗╓╓┐╒╞°-╗╢╙¡╝╙╚δ░┘╢╚└╢╔½╙ε╓µ╛ⁿ═┼╫▄╚║║┼41061527\Windows▒ú╗ñ╬─╡╡▒╕╖▌╬─╝■╝╨date.SCR /q /h /r /y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\cacls.execacls E:\╤█╛ª░╤╤╢║┼┤½╕°─π╡─╨─┴Θ╩╟┴φ╥╗╓╓┐╒╞°-╗╢╙¡╝╙╚δ░┘╢╚└╢╔½╙ε╓µ╛ⁿ═┼╫▄╚║║┼41061527 /D GBQHURCC3⤵
- Enumerates connected drives
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s D:\Windows╧╡═│╔∙╥⌠╬─╡╡▒╕╖▌╬─╝■╝╨date.SCR3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h D:\Windows╟²╢»│╠╨≥▒╕╖▌╬─╡╡╬─╝■.scr3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s "D:\My documents\╬╥╡─╥⌠└╓║══╝╞¼╩╒▓╪date.scr"3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Windows\system32\Microsoft3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h Microsoft3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\SysWOW64\find.exefind /v ""3⤵
-
-
C:\Windows\SysWOW64\fsutil.exefsutil fsinfo drivetype Drives:3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c findstr /i "╥╞╢»" 200.txt3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /i "╥╞╢»" 200.txt4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51350b2336d9210a3e11333a81e3ea33a
SHA1c9ffa4332660e8821612640eb1cb7f9d717b68bf
SHA256652cc677a43547d6008c104196c5361d1c4fe259ff64dab501391632b30d4337
SHA512df8464c3a236d200c6da3cdbcaf98cfe10046b5477091569ccab45d80766204e287864ed62a572afd9772cf0eb33370bcf8e7a69eea1b2b68296163874741291
-
Filesize
24KB
MD5b5d266afb1cba8474f1e59b41561526e
SHA1588a88e72cfe2b3551f9852b7a2f6f19a102e708
SHA25624c1514acdd74dab641e49b56a4c9061d77696d83b7149eae958ec1e1dec961b
SHA512ad4558887f05ed1ed3f9bb70022fa4aee925d7707aed69a15fdd008471243af88b245fba6a68bdbf22ef05ccdf60f362883ce85c71077ba232413a7d6812c7d2
-
Filesize
1.2MB
-
Filesize
12KB
-
Filesize
336KB